Policy based routing.

Answered Question
Aug 14th, 2010
User Badges:

Dear i have some doubts


I have two isp and connected to core switch and in core switch i connected bluecoat for proxy.   And I have 8 vlans.


The issue is that i need to block internet without proxy, if any one want to access internet it should goes through bluecoat.


things i have ====   vlan 2 in bluecoat.

                              vlan 1 are management vlan

                              Other vlans are users and servers guest.



and i have BVI interface in router and i am using two bvi interface.


i was done route map like this


ip access-list extended NO_PROXY
permit tcp any any eq www
permit tcp any any eq 443



# route-map LOCAL_ACCESS permit 10
   match ip address NO_PROXY
   set ip next hop "Bluecoat IP" 192.168.1.10



# assign on interface local:::::::::::

    Interface BVI1
   ip policy route-map LOCAL_ACCESS


can you help to block internet traffic with proxy, it has to go through proxy only.


regards,

Correct Answer by Giuseppe Larosa about 6 years 11 months ago

Hello mr ....,


if you really want to block traffic directed to a web or https server when destination ip address ! = proxy ip address you  can simply use extended ACLs applied inbound on each L3 interface facing clients


access-list 111 permit tcp any host proxy-ip eq 80

access-list 111 deny tcp any any eq 80

access-list 111 permit tcp any host proxy-ip eq 443

access-list 111 deny tcp any any eq 443

access-list 111 permit ip any any



int Vlan X

ip access-group 111 in


do it on all client facing L3 interfaces


Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Giuseppe Larosa Sat, 08/14/2010 - 06:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello,


you need to apply the PBR rule on each client Vlan (and server vlan if desired/needed) as PBR works only on traffic received by the device


by doing so instead of blocking attempts to go directly to the internet you are redirecting traffic to the proxy.


Also users might be configured to use a DNS server that replies to each DNS request for internet servers with proxy IP address.


a different tool you can use is WCCP but it would need to be configured also on the web cache /proxy


Hope to help

Giuseppe

mrsystemengineer Sat, 08/14/2010 - 07:51
User Badges:

no i am not using wccp.  i am using explicit proxy.  so how i can do it.

Correct Answer
Giuseppe Larosa Sat, 08/14/2010 - 11:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello mr ....,


if you really want to block traffic directed to a web or https server when destination ip address ! = proxy ip address you  can simply use extended ACLs applied inbound on each L3 interface facing clients


access-list 111 permit tcp any host proxy-ip eq 80

access-list 111 deny tcp any any eq 80

access-list 111 permit tcp any host proxy-ip eq 443

access-list 111 deny tcp any any eq 443

access-list 111 permit ip any any



int Vlan X

ip access-group 111 in


do it on all client facing L3 interfaces


Hope to help

Giuseppe

mrsystemengineer Sat, 08/14/2010 - 12:43
User Badges:

Dear Friend,


         i will try this and update you thanks a lot .

mrsystemengineer Mon, 08/16/2010 - 07:32
User Badges:

Hi thanks a lot its working but before i was send proxy through bluecoat "proxy.pac" file.  But this file is not working when i was using extended access list.


is thier any way just to open this complete bluecoat IP.

Giuseppe Larosa Mon, 08/16/2010 - 13:41
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Mrsystemengineer,


>> send proxy through bluecoat "proxy.pac" file


interesting side effect


>> s thier any way just to open this complete bluecoat IP.


this is possible with an ACL line like


access-list 111 permit ip any host


you should verify what exactly is exchanged between a client and the bluecoat to send the proxy.pac file, opening all the IP can be a solution but it can be too much from a security point of view


Hope to help

Giuseppe

Actions

This Discussion